Re: [Asimba-users] Configuring asimba as a SAML proxy

[Mark D. <mdo...@co...>]

Hi Oleksiy,

The remote-saml2 authentication method isn't documented properly yet.
The <idpprofile> element was introduced in 1.1.2; the actual change is
documented though:
http://sourceforge.net/p/asimba/wiki/Changes%20since%201.1.2./#20130903-update-to-support-multiple-saml2-idp-profiles-with-multiple-remote-saml2-authmethod-configurations

Bottom line is: you need a configured SAML2 IDP Profile; the Remote
SAML2 authentication method uses the the id of the SAML2 IDP profile to
reference it, so incoming SAML2 Response messages can be handled correctly.

The example configuration that I provided to you (GLUU) configures a
SAML2 IDP with an id "saml2", so the configuration in the RemoteSAML
authentication method would be:
<idpprofile id="saml2" />


Does this help you further?

Cheers!

Mark



On 30/01/14 23:12, Tataryn Oleksiy wrote:
> Thanks Mark,
> I tried configuring one external IDP, but asimba thrown an error during
> tomcat startup, complining about the lack of <idpprofile> element. 
> Unfortunately I did not found any documentation about the idpprofile.
> How is it used or where can I find information about it?
> 
> Attached is the tomcat log with the error.
> 
> Best Regards,
> Oleksiy Tataryn
> 
> 
> On Wed, Jan 29, 2014 at 10:27 PM, Mark Dobrinic <mdo...@co...
> <mailto:mdo...@co...>> wrote:
> 
>     Hi Oleksiy,
> 
>     Some of your questions have some documentation to cover it, but let me
>     help you with your questions before we're there ;)
> 
>     btw; if you have suggestions on how to improve the docs, please let
>     me know.
> 
>     > Hello asimba-users,
>     > I am trying to use Asimba as a SAML proxy for several IDPs. The
>     problem
>     > is that I cannot find any documentation for that and asimba.xml is not
>     > helping much.
>     > So here are my questions:
>     > 1. How do I add several external IDPs and remove the internal
>     Asimba one
>     > (the one that accepts asimba1/asimba1 creds)?
> 
>     Asimba has a concept of a IDP profile, which is SAML, that reports on
>     how a user was authenticated.
> 
>     Authentication is done by executing an authentication profile, that
>     contains one or more authentication methods.
> 
>     What you're looking for here, is authentication based on a remote SAML
>     IDP. This is implemented in the Remote SAML2 Authentication method.
>     This method is actually documented:
>     http://sourceforge.net/p/asimba/wiki/asimba-am-remote-saml2/
> 
>     So you'd start with defining a new authentication profile in asimba.xml:
>     /asimba/authentication/profile, something like this:
>       <profile id="remote.saml2" friendlyname="remote.saml2" enabled="true">
>         <method id="RemoteSAML" />
>       </profile>
> 
>     ... and then a web-based authentication method in asimba.xml:
>     /asimba/websso/authentication/methods/method like this:
> 
>     <method id="RemoteSAML" friendlyname="Remote SAML authentication"
>     enabled="true" response_signing_required="true"
>     class="com.alfaariss.oa.authentication.remote.saml2.SAML2AuthenticationMethod">
>     ...
>     </method>
> 
>     ..you're setting up the context for using remote SAML IDP's.
> 
>     This can be set up using:
>     <method ....>
>       ...
>       <idps id="saml2idps"
>     class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.config.IDPConfigStorage">
>           <idp id="urn:idp:config:test1" friendlyname="Config Sourced Test
>     IDP 1" scoping="true" avoid_subjectconfirmation="true">
>             <metadata>
> 
>     <file>${webapp.root}/WEB-INF/sample-data/metadata-idp-config.test.xml</file>
>             </metadata>
>           </idp>
>       </idps>
>       ...
>     </method>
> 
>     There are some more options to configure here, that should be
>     documented. I'll put it on my list.
> 
> 
>     > 2. How do I configure the discovery? What are the requirements for the
>     > IDPs?
> 
>     Discovery is default being done by a JSP-file that renders the IDP's
>     that the user can choose from. If this needs customization, you can
>     choose to either customize the JSP, or implement your own module that
>     you can configure to activate. This last one is only when you know
>     exactly what you want to do.
> 
> 
>     > 3. I heard that asimba allows IDPs information to be stored in the
>     > database. How can I achieve that?
> 
>     The example above configures the IDP's from asimba.xml. If you want to
>     use a JDBC backed store, you should configure the <idps ..> element with
>     the JDBC-implementation:
> 
>     <idps id="saml2idps"
>     class="com.alfaariss.oa.authentication.remote.saml2.idp.storage.jdbc.IDPJDBCStorage"
>     />
> 
>     This relies on a configured model storagefactory to be configured in
>     asimba.xml: /asimba:
>         <storagefactory
>     class="com.alfaariss.oa.engine.storage.jdbc.JDBCFactory">
>             <model>
>                     <environment_context>java:comp/env</environment_context>
>                             <resource-ref>jdbc/oaModel</resource-ref>
>             </model>
>             <system>
>                     <environment_context>java:comp/env</environment_context>
>                             <resource-ref>jdbc/oaSystem</resource-ref>
>             </system>
>         </storagefactory>
> 
>     ... which relies on the jdbc/oaModel and jdbc/oaSystem resources to be
>     configured by your application server.
> 
>     See the Asimba Wiki documentation:
>     http://sourceforge.net/p/asimba/wiki/asimba-engine-storage/
> 
>     By default, the IDPs are queried from the table 'saml2_orgs', of which
>     the database definition is published on the remote-saml2 documentation
>     of the Asimba Wiki. This can be overruled. Let me know if you want me to
>     look it up. Either way, I should put it on the Asimba Wiki ;)
> 
> 
>     > 4. How can I control which SPs are serviced by asimba?
> 
>     A SAML2 SP is an Asimba Requestor, that has some additional
>     SAML2-specific properties (Asimba is protocol agnostic, SAML2 is "just a
>     protocol"). Requestors are contained in a RequestorPool.
> 
>     Each RequestorPool defines which authentication profiles are allowed,
>     and which attribute gathering and -release policies are applied to it.
> 
>     If you want to set up a RequestorPool using a JDBC backend, this is
>     documented in the JDBC documentation on the Asimba Wiki:
>     http://sourceforge.net/p/asimba/wiki/asimba-engine-requestor-jdbc/
> 
>     If you want to set up the requestor pools in asimba.xml: there is an
>     example of this in the asimba.xml of the asimba-wa module of the sources
>     (line 179-201):
>     http://sourceforge.net/p/asimba/code/HEAD/tree/trunk/asimba-wa/src/main/webapp/WEB-INF/conf/asimba.xml
> 
>     So, the next thing is to add SAML2 specific data to the requestors.
>     Again, this can be done in a JDBC backend, by setting the properties (in
>     table requestorpool_requestor_properties):
>     [saml2-profileid].metadata.file that contains the location of the
>     filename to the saml metadata, or
>     [saml2-profileid].metadata.http.url that contains the URL where the
>     metadata can be retrieved from, or
>     [saml2-profileid].metadata that contains the actual metadata itself in
>     the database.
> 
>     (saml2-profileid is the id that you've give to the
>     com.alfaariss.oa.profile.saml2.SAML2Profile asimba/profiles/profile)
> 
> 
>     .. or in the asimba.xml, by configuring the requestors inside the saml2
>     idp profile configuration: /asimba/profiles/profile/requestors like:
>     <requestors signing="TRUE">
>       <requestor id="localhost/AsimbaSimpleSP" signing="FALSE">
>         <metadata>
> 
>     <file>${webapp.root}/WEB-INF/sample-data/metadata/asimbasimplesp.xml</file>
>           <!-- when metadata is sourced from a URL instead, the
>     configuration could look like this:
>           <http timeout="10000"
>     url="http://my.serviceprovider.com/sp/metadata" />
>           -->
>         </metadata>
>       </requestor>
>     </requestors>
> 
> 
> 
>     I hope this helps you out.
> 
>     Cheers!
> 
>     Mark
> 
> 
> 
> 
>     >
>     > Best Regards,
>     > Oleksiy Tataryn
>     >
>     >
>     >
>     ------------------------------------------------------------------------------
>     > WatchGuard Dimension instantly turns raw network data into actionable
>     > security intelligence. It gives you real-time visual feedback on key
>     > security issues and trends.  Skip the complicated setup - simply
>     import
>     > a virtual appliance and go from zero to informed in seconds.
>     >
>     http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>     >
>     >
>     >
>     > _______________________________________________
>     > Asimba-users mailing list
>     > Asi...@li...
>     <mailto:Asi...@li...>
>     > https://lists.sourceforge.net/lists/listinfo/asimba-users
>     >
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable 
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> 
> 
> 
> _______________________________________________
> Asimba-users mailing list
> Asi...@li...
> https://lists.sourceforge.net/lists/listinfo/asimba-users
>